Enterprise Risk

Management

Wayne L. Brannan, CPHRM, CBCP, CHSP, ARM

Director, Risk Management
The Medical University of South Carolina
 What is Enterprise Risk
Management?
 The COSO* Definition:
“Enterprise Risk Management is a process,
effected by an entity’s Board of Directors,
management and other personnel, applied in a
strategy setting and across the enterprise,
designed to identify potential events that may
affect the entity, and manage risks to be within
its risk appetite, to provide reasonable
assurance regarding the achievement of entity
objectives.”

*The Committee of Sponsoring Organizations of the

Treadway Commission www.coso.org
 ERM Key Elements
 Analyzes risk “across the enterprise”
 Manages multiple risks in an integrated
manner – rather than in separate risk
“silos”
 Elevates Risk Management as a strategic
partner in achieving corporate goals and
objectives
Elements of ERM Framework
 Education and Internal Environment
 Objective Setting
 Event Identification
 Risk Assessment
 Risk Response
 Control Activities
 Information and Communication
 Monitoring
 Why ERM? MEDICAL CHIEF
SURVIVES
SCANDAL –TIES
MEDICAL TO ENRON AND
OVER- IMCLONE
CALLED BAD
CHIEF BILLING LUCK
UROLOGIST RESULTS IN
CHARGED
WITH $5.6M FINE
RESEARCH
CONFLICT OF EIGHT MORE
INTEREST HOSPITAL
Corporate Scrutiny LAWSUITS
ADDED TO
ALLEGED
Regulatory Issues CHARITY CARE
VIOLATIONS

UNIVERSIT
Research
Y MEDICAL
CENTER MEDICAL
MISUSES CENTER AUDIT FINDS
FEDERAL
CHARGED HOSPITAL FAILED TO
GRANT =
$32M FINE WITH REPORT HUNDREDS
RESEARCH OF MISTAKES
FRAUD AND
ABUSE
 Why ERM?
THE DOCTOR IS RAPIST
IN BUT NOT IN ACCESSES
THE U.S. – PATIENT CASE HEARING
RECORDS ON KIDNAPPING
“nighthawking” HOSPITAL MEMBER OF
to India, Israel, MULLS DOCTORS
Australia . . . CRIMINAL WITHOUT
SCREENING BORDERS
MISSION TO
START ON
TELEMEDICIN MONDAY
E AT HEART
OF
DIAGNOSTIC
Foreign Issues STUDENT
SEARCHING
FOR
CHANGES
Outsourcing INFORMATION
ABOUT
DOCTOR IS
Technology LINKED TO
PRIVATE
EXTORTION PATIENT FILES
THREATS TO
RELEASE PATIENT DETAILED
RECORDS – PSYCHOLOGICAL
CLIENTS NOT RECORDS ACCIDENTALLY
INFORMED OF HACKERS POSTED ON WEBSITE FOR
INDIA STAFFS ACCESS 7000 EIGHT DAYS
BREACH PATIENT FILES
 Why ERM?
DOCTOR
SELLS OWN
LAWSUITS FILED SPERM FOR IN
OVER CUSTODY VITRO
THE ETHICS OF FROZEN FERTILIZATION
OF BABY
MAKING EMBRYOS

CA WILLED BODY
PHYSICIANS PROGRAM
FIND SUSPENDED
SUCCESS IN
THE SPA Risk Outliers AMID
ALLEGATIONS OF
BUSINESS ILLEGAL BODY
PARTS SALES

WHY DID THEY

DIE IN
COSMETIC BABY KIDNAP STAGED TO
SURGERY? ORGAN SUE HOSPITAL FOR
REMOVAL BREACH OF SECURITY
RULED
HOMICIDE
 Why ERM?
NON- LACK OF FAILURE
COMPLIANCE TO GET
INTERIM SUPERVISION INFORMED
LIFESAFETY OF STUDENTS’ CONSENT
MEASURES ROTATIONS FOR MINORS
PARTICIPATI
NG IN
CLINICAL
NON TRIALS
REGISTRATIO
N OF SELECT
AGENTS USED
IN RESEARCH Loss of Accreditation
Loss of Federal Funding
FACULTY
CONSULTING INAPPROPRIATE BILLING
WITH PRIVATE FOR TIME AND ACTIVITY
SUPPLIERS OF WHILE WORKING UNDER
INACCURATE
MEDICAL FEDERALLY FUNDED
REPORTING OF
DEVICE GRANT
NONRESIDENT
ALIENS
 The Value of ERM
 The underlying premise of ERM is that every entity exists to
provide value for its stakeholders
 Stakeholders of not-for-profit entities realize value when they
recognize receipt of valued social benefit—i.e. “the Mission”
 A key to achieving that social benefit and a key to survival is to
identify and manage risk across the enterprise rather than
narrowly focusing in certain “traditional” risk areas
 ERM facilitates an entity’s ability to achieve its performance and
profitability targets; it prevents loss of resources; it ensures
compliance with laws and regulations; avoiding damage to reputations,
and achieving corporate goals and objectives – and does this from
a broader perspective than traditional RM
 ERM identifies areas where due diligence/auditing is prudent due to
increased corporate scrutiny (Leapfrog Initiative, Sarbanes Oxley)
 Roadblocks
 Complex & takes time
 Needs transition from Theory to Action plan
 Requires combined knowledge and focus –
legal, financial, internal audit, clinical, insurance,
compliance, operations, etc.
 Turf Wars between departments and divisions
can occur
 Requires a new paradigm
 How to Achieve ERM within your
Facility
 Embrace “enterprise-wide” risk oversight
 Require that RM evaluate risk issues from new
strategies well in advance of implementing those
strategies
 Foster a collaborative effort to address risk and
quality concerns – and to make pro-active
decisions including risk management
considerations as well as operational strategies
 Determine and assign authority levels for
managing risks
 Facilitate open communication of risk
Develop an ERM Roundtable
IT
HR Compliance

Affiliates Legal

Medical
Operations
Chief Risk Staff
Officer

Faculty &
Research
Students

Marketing Finance
Internal Quality/
Audit Safety
 Role of Risk Officer

 Establish ERM policies and set goals for

implementation
 Frame accountability and authority

 Promote ERM competence throughout the entity

 Guide integration of ERM with other business

planning and management activities
 Oversee development of entity-wide and business
unit specific risk tolerances
 Facilitate managers’ development of reporting
protocols (ERM Roundtable)
 Report to senior leadership on progress and
recommend action as needed
 Develop a Strategy Matrix
 Define key organizational short and long term
goals
 Strategic
 Operational
 Financial
 Map key risk management issues that will
support goals or that could threaten the goals
 Identify and prioritize risk management
strategies
 Document assignments of responsibility and
timelines for achieving goals and objectives
 The Strategy Matrix
Strategy Matrix

Mission

Objectives

Strategic Operational Financial

Strategies

Risk Management Issues

Quality Loss Control Reporting Compliance

Prioritize and apply RM Steps across the Enterprise

Action Plan to further objective/prevent failure of objective

The Strategy Matrix - SAMPLE
Strategy Matrix for ABC Hospital
Strategy Matrix for ABC Hospital (cont)
Strategy Matrix for ABC Hospital (cont)
The ERM Fusion Model
Incorporating JCAHO Patient Safety Goals

Patient Slips
Identification and Falls

Reconcile ERM Communication

Medications

Reduce Medication
Infections Safety
The ERM Fusion Model
Incorporating JCAHO Patient Safety Goals

Patient Slips
Identification and Falls

Reconcile ERM Communication

Medications

Reduce Medication
Infections Safety
 The ERM Fusion Model
Incorporating JCAHO’s Top 10 Items that will Make or Break You
Violations of Patient Expired
Medications/Supplies
Confidentiality

Use of Non-
Inability to
Patient Slips calibrated/Non-
Articulate
Identification and Falls verified Equipment
Section/Unit PI
Processes

Unfamiliarity with
EM Procedures
Reconcile
Medications
ERM Communication
Unfamiliarity
with NPSGs

Inability to
Validate Reduce Medication
Infections Safety
Physician/Staff
Insufficient/Non-existent
Competency
Documentation

By-passing Improper
Informed Consent Storage/Cluttered
Areas
Questions?